Add rhcos10 node & platform jobs to test in PR

[Anna-Koudelkova]

Not sure if we need this update (seems to me like these are working when triggered and does not have cluster issues), but for master branch I would at least still update the general config at the beginning of the yaml file - it worked with 4.16 versions and I am not sure if that was intentional or some remains of an older age.

Summary by CodeRabbit

This PR updates the OpenShift CI configuration for the ComplianceAsCode/content repository's master branch. It makes two primary changes:

1. Baseline Updates

• Updated the build root image tag to rhel-9-release-golang-1.24-openshift-4.22 (from an older Go 1.23/OpenShift 4.16 baseline)
• Updated all release references to OpenShift 4.22 (changing from 4.16 and earlier versions)

2. New RHCOS 10 Test Coverage

• Added two optional CI jobs (e2e-aws-openshift-platform-compliance-rhcos10 and e2e-aws-openshift-node-compliance-rhcos10) to test compliance with Red Hat CoreOS 10 (RHEL 10)
• These jobs run TestPlatformCompliance and TestNodeCompliance tests respectively using a RHCOS 10 image stream
• Both jobs use tech preview feature set and the nightly-latest OpenShift release for validation
• Marked as manual trigger jobs (always_run: false), allowing validation of RHCOS 10 compatibility without blocking PR merges

The author notes some uncertainty about the necessity of these changes, suggesting that existing jobs may already be functioning adequately and that configuration updates for master branch baseline may be discretionary.

[coderabbitai]

Walkthrough

The CI operator config for ComplianceAsCode/content master is updated to use OpenShift 4.22 and Go 1.24 as the build baseline, with all releases entries bumped to 4.22. Two new AWS e2e jobs for RHCOS 10 (platform-compliance-rhcos10 and node-compliance-rhcos10) are added, each set to always_run: false with OS_IMAGE_STREAM: rhel-10 and the nightly-latest release image override.

Changes

ComplianceAsCode CI Config: OCP 4.22 Baseline and RHCOS 10 Jobs

Layer / File(s)	Summary
Build root and releases version bump to 4.22 ci-operator/config/ComplianceAsCode/content/ComplianceAsCode-content-master.yaml	build_root.image_stream_tag.tag updated to OpenShift 4.22/Go 1.24; releases section rewritten to use 4.22 for arm64-latest, initial, latest, and nightly-latest, removing prior 4.16/older references.
New RHCOS 10 platform and node compliance e2e jobs ci-operator/config/ComplianceAsCode/content/ComplianceAsCode-content-master.yaml	Two new always_run: false AWS e2e jobs inserted: e2e-aws-openshift-platform-compliance-rhcos10 running TestPlatformCompliance and e2e-aws-openshift-node-compliance-rhcos10 running TestNodeCompliance, both configured with OPENSHIFT_INSTALL_RELEASE_IMAGE_OVERRIDE: release:nightly-latest, OS_IMAGE_STREAM: rhel-10, FEATURE_SET, COMPUTE_NODE_REPLICAS, and -install-operator=${INSTALL_OPERATOR:-true}.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• openshift/release#80240: Also updates CI release configuration targeting OCP 4.22 by bumping releases version/channel fields in a YAML job definition.

🚥 Pre-merge checks | ✅ 15

✅ Passed checks (15 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change—adding RHCOS 10 node and platform compliance jobs to the CI configuration for testing in pull requests.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	Check is not applicable: PR modifies CI operator configuration (YAML), not Ginkgo tests. Test names referenced (TestPlatformCompliance, TestNodeCompliance) are static Go test functions, not Ginkgo...
Test Structure And Quality	✅ Passed	The PR modifies only a CI/CD configuration YAML file, not Ginkgo test code. The custom check for Ginkgo test code quality is not applicable to this PR.
Microshift Test Compatibility	✅ Passed	This PR does not add new Ginkgo e2e tests to the repository; it only adds CI job configurations that run pre-existing external tests from ComplianceAsCode/ocp4e2e. The check is not applicable.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	No new Ginkgo test code is added in this PR—only CI job configuration YAML files are modified. The check for SNO compatibility applies to new test definitions (It(), Describe(), etc.), which are no...
Topology-Aware Scheduling Compatibility	✅ Passed	This PR modifies only a CI configuration file that defines test job definitions, not deployment manifests or operator code. It contains no scheduling constraints, affinity rules, pod specs, or topo...
Ote Binary Stdout Contract	✅ Passed	The PR only modifies a YAML CI configuration file with no source code changes, making the OTE Binary Stdout Contract check (applicable to process-level code in binaries) not applicable.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	No new Ginkgo e2e tests (It(), Describe(), Context(), etc.) are added in this PR. The PR only adds CI configuration for running existing tests from an external repository (ocp4e2e). The custom chec...
No-Weak-Crypto	✅ Passed	The pull request only modifies a YAML CI configuration file. No weak cryptography, custom crypto implementations, or insecure secret comparisons are present.
Container-Privileges	✅ Passed	File is a CI operator config, not a container/K8s manifest; no privileged security configurations present or applicable.
No-Sensitive-Data-In-Logs	✅ Passed	No sensitive data (passwords, tokens, API keys, PII, internal hostnames) found in logging or configuration. All environment variables contain non-sensitive config values and debug flags are consist...

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: Anna-Koudelkova

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-merge-bot]

[REHEARSALNOTIFIER]
@Anna-Koudelkova: the pj-rehearse plugin accommodates running rehearsal tests for the changes in this PR. Expand 'Interacting with pj-rehearse' for usage details. The following rehearsable tests have been affected by this change:

Test name	Repo	Type	Reason
pull-ci-ComplianceAsCode-content-master-e2e-aws-openshift-node-compliance-rhcos10	ComplianceAsCode/content	presubmit	Presubmit changed
pull-ci-ComplianceAsCode-content-master-e2e-aws-openshift-platform-compliance-rhcos10	ComplianceAsCode/content	presubmit	Presubmit changed
pull-ci-ComplianceAsCode-content-master-4.12-e2e-aws-ocp4-cis	ComplianceAsCode/content	presubmit	Ci-operator config changed
pull-ci-ComplianceAsCode-content-master-4.12-e2e-aws-ocp4-cis-node	ComplianceAsCode/content	presubmit	Ci-operator config changed
pull-ci-ComplianceAsCode-content-master-4.12-e2e-aws-ocp4-e8	ComplianceAsCode/content	presubmit	Ci-operator config changed
pull-ci-ComplianceAsCode-content-master-4.12-e2e-aws-ocp4-high	ComplianceAsCode/content	presubmit	Ci-operator config changed
pull-ci-ComplianceAsCode-content-master-4.12-e2e-aws-ocp4-high-node	ComplianceAsCode/content	presubmit	Ci-operator config changed
pull-ci-ComplianceAsCode-content-master-4.12-e2e-aws-ocp4-moderate	ComplianceAsCode/content	presubmit	Ci-operator config changed
pull-ci-ComplianceAsCode-content-master-4.12-e2e-aws-ocp4-moderate-node	ComplianceAsCode/content	presubmit	Ci-operator config changed
pull-ci-ComplianceAsCode-content-master-4.12-e2e-aws-ocp4-pci-dss	ComplianceAsCode/content	presubmit	Ci-operator config changed
pull-ci-ComplianceAsCode-content-master-4.12-e2e-aws-ocp4-pci-dss-4-0	ComplianceAsCode/content	presubmit	Ci-operator config changed
pull-ci-ComplianceAsCode-content-master-4.12-e2e-aws-ocp4-pci-dss-node	ComplianceAsCode/content	presubmit	Ci-operator config changed
pull-ci-ComplianceAsCode-content-master-4.12-e2e-aws-ocp4-pci-dss-node-4-0	ComplianceAsCode/content	presubmit	Ci-operator config changed
pull-ci-ComplianceAsCode-content-master-4.12-e2e-aws-ocp4-stig	ComplianceAsCode/content	presubmit	Ci-operator config changed
pull-ci-ComplianceAsCode-content-master-4.12-e2e-aws-ocp4-stig-node	ComplianceAsCode/content	presubmit	Ci-operator config changed
pull-ci-ComplianceAsCode-content-master-4.12-e2e-aws-rhcos4-e8	ComplianceAsCode/content	presubmit	Ci-operator config changed
pull-ci-ComplianceAsCode-content-master-4.12-e2e-aws-rhcos4-high	ComplianceAsCode/content	presubmit	Ci-operator config changed
pull-ci-ComplianceAsCode-content-master-4.12-e2e-aws-rhcos4-moderate	ComplianceAsCode/content	presubmit	Ci-operator config changed
pull-ci-ComplianceAsCode-content-master-4.12-e2e-aws-rhcos4-stig	ComplianceAsCode/content	presubmit	Ci-operator config changed
pull-ci-ComplianceAsCode-content-master-4.12-images	ComplianceAsCode/content	presubmit	Ci-operator config changed
pull-ci-ComplianceAsCode-content-master-4.14-e2e-aws-ocp4-bsi	ComplianceAsCode/content	presubmit	Ci-operator config changed
pull-ci-ComplianceAsCode-content-master-4.14-e2e-aws-ocp4-bsi-node	ComplianceAsCode/content	presubmit	Ci-operator config changed
pull-ci-ComplianceAsCode-content-master-4.14-e2e-aws-ocp4-pci-dss-4-0	ComplianceAsCode/content	presubmit	Ci-operator config changed
pull-ci-ComplianceAsCode-content-master-4.14-e2e-aws-ocp4-pci-dss-node-4-0	ComplianceAsCode/content	presubmit	Ci-operator config changed
pull-ci-ComplianceAsCode-content-master-4.14-e2e-aws-rhcos4-bsi	ComplianceAsCode/content	presubmit	Ci-operator config changed

A total of 235 jobs have been affected by this change. The above listing is non-exhaustive and limited to 25 jobs.

A full list of affected jobs can be found here
Prior to this PR being merged, you will need to either run and acknowledge or opt to skip these rehearsals.

Interacting with pj-rehearse

Comment: /pj-rehearse to run up to 5 rehearsals
Comment: /pj-rehearse skip to opt-out of rehearsals
Comment: /pj-rehearse {test-name}, with each test separated by a space, to run one or more specific rehearsals
Comment: /pj-rehearse more to run up to 10 rehearsals
Comment: /pj-rehearse max to run up to 25 rehearsals
Comment: /pj-rehearse auto-ack to run up to 5 rehearsals, and add the rehearsals-ack label on success
Comment: /pj-rehearse list to get an up-to-date list of affected jobs
Comment: /pj-rehearse abort to abort all active rehearsals
Comment: /pj-rehearse network-access-allowed to allow rehearsals of tests that have the restrict_network_access field set to false. This must be executed by an openshift org member who is not the PR author

Once you are satisfied with the results of the rehearsals, comment: /pj-rehearse ack to unblock merge. When the rehearsals-ack label is present on your PR, merge will no longer be blocked by rehearsals.
If you would like the rehearsals-ack label removed, comment: /pj-rehearse reject to re-block merging.

[Anna-Koudelkova]

/pj-rehearse pull-ci-ComplianceAsCode-content-master-e2e-aws-openshift-platform-compliance-rhcos10

[openshift-merge-bot]

@Anna-Koudelkova: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@ci-operator/config/ComplianceAsCode/content/ComplianceAsCode-content-master.yaml`:
- Around line 85-110: Both RHCOS 10 compliance jobs are missing critical
configuration to test the PR's content changes. In the
e2e-aws-openshift-platform-compliance-rhcos10 job (lines 85-110), add an
ocp4-content-ds dependency block in the test step's dependencies section (after
the line 90 area, following the pattern used in the existing platform compliance
job) and add the flag -content-image="$CONTENT_IMAGE" to the go test command.
Similarly, in the e2e-aws-openshift-node-compliance-rhcos10 job (lines 111-136),
add the same ocp4-content-ds dependency block in the test step's dependencies
section (after the line 116 area, following the pattern used in the existing
node compliance job) and add the same -content-image="$CONTENT_IMAGE" flag to
its go test command. This ensures both jobs will test against the PR's actual
ComplianceAsCode content rather than defaults.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 5caa599c-2c5d-421f-b880-9b26e8205a70

📥 Commits

Reviewing files that changed from the base of the PR and between c7b560b and 4014e67.

⛔ Files ignored due to path filters (1)

• ci-operator/jobs/ComplianceAsCode/content/ComplianceAsCode-content-master-presubmits.yaml is excluded by !ci-operator/jobs/**

📒 Files selected for processing (1)

• ci-operator/config/ComplianceAsCode/content/ComplianceAsCode-content-master.yaml

[coderabbitai]

⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

Missing content image dependency in both RHCOS 10 compliance jobs. Both new RHCOS 10 jobs omit the ocp4-content-ds image dependency and the -content-image test flag, meaning they will not test the PR's ComplianceAsCode content changes—only default/missing content.

• ci-operator/config/ComplianceAsCode/content/ComplianceAsCode-content-master.yaml#L85-L110: Add the ocp4-content-ds dependency block after Line 90 (in the test step's dependencies: list, similar to lines 54-56 in the existing platform job) and include -content-image="$CONTENT_IMAGE" in the go test command on Line 105.
• ci-operator/config/ComplianceAsCode/content/ComplianceAsCode-content-master.yaml#L111-L136: Add the ocp4-content-ds dependency block after Line 116 (in the test step's dependencies: list, similar to lines 77-79 in the existing node job) and include -content-image="$CONTENT_IMAGE" in the go test command on Line 131.

📍 Affects 1 file

• ci-operator/config/ComplianceAsCode/content/ComplianceAsCode-content-master.yaml#L85-L110 (this comment)
• ci-operator/config/ComplianceAsCode/content/ComplianceAsCode-content-master.yaml#L111-L136

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@ci-operator/config/ComplianceAsCode/content/ComplianceAsCode-content-master.yaml`
around lines 85 - 110, Both RHCOS 10 compliance jobs are missing critical
configuration to test the PR's content changes. In the
e2e-aws-openshift-platform-compliance-rhcos10 job (lines 85-110), add an
ocp4-content-ds dependency block in the test step's dependencies section (after
the line 90 area, following the pattern used in the existing platform compliance
job) and add the flag -content-image="$CONTENT_IMAGE" to the go test command.
Similarly, in the e2e-aws-openshift-node-compliance-rhcos10 job (lines 111-136),
add the same ocp4-content-ds dependency block in the test step's dependencies
section (after the line 116 area, following the pattern used in the existing
node compliance job) and add the same -content-image="$CONTENT_IMAGE" flag to
its go test command. This ensures both jobs will test against the PR's actual
ComplianceAsCode content rather than defaults.

[Anna-Koudelkova]

/pj-rehearse pull-ci-ComplianceAsCode-content-master-e2e-aws-openshift-node-compliance-rhcos10

[openshift-merge-bot]

@Anna-Koudelkova: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[openshift-ci]

@Anna-Koudelkova: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.